Skip to content

Call /logout endpoint when logging out #46

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 11 commits into from
Closed

Call /logout endpoint when logging out #46

wants to merge 11 commits into from

Conversation

cblakeley
Copy link

@coveralls
Copy link

coveralls commented Jun 7, 2018
edited
Loading

Coverage Status

Coverage increased (+0.1%) to 85.153% when pulling abde4b4 on OpenLinkSoftware:openlink_pull_req into ab12fa7 on solid:master.

RubenVerborgh
RubenVerborgh suggested changes Aug 8, 2018
View reviewed changes
Copy link
Contributor

@RubenVerborgh RubenVerborgh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd like to understand why the /logout is needed in the first place. Also, this cannot be a GET.

src/webid-oidc.js Outdated
console.error(err)
})
.then(x => {
fetch(idp + '/logout', { method: 'GET', credentials: 'include'})
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should move up, and there should only be one catch block.

(Also, unsure why we're using the then/catch syntax here instead of async/await.)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, if this is a state-changing operation, this cannot be a GET!

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@RubenVerborgh What must be used instead of GET ? The Solid-server has handler only for GET request

  router.get('/logout', LogoutRequest.handle)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, that's a bug in NSS: nodeSolidServer/node-solid-server#744

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@RubenVerborgh I have fixed code GET was replaced with POST and call was moved up.

@RubenVerborgh RubenVerborgh changed the title OpenLink changes relating to Solid logout and switching accounts Call /logout endpoint when logging out Aug 11, 2018
@RubenVerborgh
Merge branch 'master' into OpenLinkSoftware-openlink_pull_req
a73c3b3 
* master: (23 commits)
  Add download link.
  Publish builds in gh-pages branch.
  Update url-parse.
  Allow relative popupUri parameter.
  Make app name default to host.
  Remove obsolete CSS class.
  Clarify popup generation instructions.
  Update webpack.
  Update dependencies to resolve security vulnerabilities.
  Release version 2.0.0 of the npm package.
  Update critical vulnerability.
  Use ellipsis icon for other IDP.
  Set minimum width for buttons.
  Render custom IDP as regular button.
  Increase spacing between buttons.
  Increase popup font size.
  Show current host as IDP choice.
  login no longer returns a function.
  Remove firstSession function.
  Remove authType.
  ...
@RubenVerborgh
Fix spacing.
c7272bd
@RubenVerborgh
Rewrite logout function in async style.
abde4b4
@RubenVerborgh
Copy link
Contributor

So I've been through this and tested it, but it doesn't work.

While this code makes a call to /logout, but that doesn't do the trick. What is actually needed is a proper logout along the lines of nodeSolidServer/oidc-rp@a78420b, but that commit hasn't made it to the final version yet.

To summarize: some of our dependencies need updates first in order for this to work. We'll have to wait on nodeSolidServer/oidc-auth-manager#20 for a proper fix.

@smalinin
Copy link

@RubenVerborgh I wrote already in => https://github.com/solid/node-solid-server/pull/701/files/20987f6ef23940805da58b611b4f64f95e897298#diff-237045f786d4918cf906b96a1c163eb9
that also the next fix is required for server side
file ./lib/create-app.js

      // without permission by including the credentials set by the Solid server.
      const origin = req.headers.origin
      const userId = req.session.userId
-      if (!argv.host.allowsSessionFor(userId, origin)) {
+      if (req.path !== '/logout' && req.path !== '/goodbye' && !argv.host.allowsSessionFor(userId, origin)) {

The logout will do nothing on server side without fix above, because it will be blocked by server.
Did you have such fix on server side, when you tested the fix?

@RubenVerborgh
Copy link
Contributor

We don't; so we first need this to land on the server before we continue on the client side.

But regardless, it does not seem like it's up to solid-auth-client to make this HTTP request, but rather to the OIDC library (which makes this request, but doesn't include cookies).

@smalinin
Copy link

@RubenVerborgh Ok,
Could you also recheck module dependency in Node-solid-server project ?
I have installed latest version of NSS from master branch( and executed npm install) and checked version of oidc-rp package in ~/node_modules/@trust/oidc-rp/
The version is => "@trust/oidc-rp@0.4.3", .
Is it Ok ?
I checked git https://github.com/solid/oidc-rp and I found version "version": "0.6.0" !!!

@RubenVerborgh
Copy link
Contributor

It's not okay, our OIDC versioning is problematic currently. This is because our oidc-module is a fork. @justinwb is looking into this.

@dmitrizagidulin
Copy link
Contributor

Like I mentioned in Gitter, we have a /different/ fix server side. And the logout API has changed to ‘logoutRequest()’ on the rp side.

@RubenVerborgh
Copy link
Contributor

@dmitrizagidulin Main problem is that the logoutRequest API isn't present in a released version. Can you coordinate with @justinwb?

@dmitrizagidulin
Copy link
Contributor

Yep, in the process of doing so.

@kjetilk kjetilk mentioned this pull request Aug 23, 2018
Merged
@smalinin
Copy link

@RubenVerborgh This fix isn't required, I rechecked all again. The problem was with:

  1. our fix for logout() method in oidc-rp package
  2. with current implementstion of logout() in oidc-rp, it works wrong:
    a) it call GET /logout after clearSession(), so server reject unauthorized /logout call
    b) GET /logout call doesn't have option credentials: 'include', so browser didn't clear session cookie.
    I will prepare and send fix for oidc-rp package later.

@RubenVerborgh
Copy link
Contributor

@smalinin Indeed, that's what I also concluded in #46 (comment).

I unfortunately went a bit too fast and have prepared nodeSolidServer/oidc-rp#11, but feel free to create your own. Won't merge until I hear back from you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
2 more reviewers

@RubenVerborgh RubenVerborgh RubenVerborgh requested changes

@smalinin smalinin smalinin left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@cblakeley @coveralls @RubenVerborgh @smalinin @dmitrizagidulin